Vulnerability Disclosure Policy

Woven by Toyota is committed to ensuring the security and integrity of our products, systems and services. Woven by Toyota recognizes the importance of collaboration with the security community and values the efforts of external researchers ("Reporter") in identifying and responsibly disclosing potential vulnerabilities. This Vulnerability Disclosure Policy (“Policy”) outlines scope requirements for reporting and addressing security vulnerabilities in our products, systems and services.

Products and Services in Scope

This policy covers any products, systems and services provided or maintained by Woven by Toyota and Woven City Management which are collectively referred to as “Woven by Toyota”. In addition, the following websites and their subdomains are in the scope of Policy: 

In the sections below, Woven by Toyota describes requirements for the reports that may be accepted under this Policy. Woven by Toyota reserves the right to change the scope of the Policy from time to time as needed.


Vulnerabilities can be reported by sending an email to Reports should include reproducible information such as steps and supporting evidence about vulnerability such as proof-of-concept code or screenshots. Please include the following information.

  • Name and version of the product where the vulnerability is discovered

  • Nature of vulnerability (e.g., SQL injection, buffer overflow) and its impact on the product

  • Technical impact and exploitability of the vulnerability

  • Step by step instructions to reproduce or verify the vulnerability 

  • Name of reporter/researcher

  • Date of discovery

  • Contact information (email)

Upon receiving a vulnerability report, we will acknowledge receipt and assess the reported vulnerability in a timely manner. If needed, we may engage with the Reporter for further clarification or assistance.

Program Requirements

The Woven by Toyota reporting program under this Policy is subject to the following requirements. If the Reporter complies with the Policy in good faith, Woven by Toyota will not recommend or pursue legal action against the Reporter in relation to the vulnerability reported.

  • The Reporter should comply with relevant laws and regulations.

  • The Reporter shall take good faith to avoid violating privacy laws and regulations of any applicable jurisdiction including but not limited to maintaining measures to safeguard the privacy of Woven by Toyota's customers and employees.  The Reporter should notify Woven by Toyota immediately in case of accidentally discovering personal information of Woven by Toyota customers or employees, and following such discovery upon Woven by Toyota request, the Reporter should delete such data.

  • The Reporter should not conduct social engineering, spam, or phishing attacks, as well as testing the physical security of Woven by Toyota's or third parties' properties. 

  • The Reporter should not (a) execute distributed denial-of-service, denial-of-service, or resource exhaustion including aggressive automated fuzzing attacks (collectively “DoS”), or (b) exploit vulnerabilities which can lead to DoS (e.g., buffer overflow, multiple attempts to exploit DoS, etc.). Passive identification which might lead to DoS conditions without attempts to exploit a vulnerability is allowed (e.g., analysis of the code which implements dangerous regular expression parsing, identification of components which are prone to DoS attacks due to well-known vulnerabilities).

  • The Reporter must not be employed by Woven by Toyota or a Woven by Toyota supplier, nor submit a report on behalf of such personnel. 

  • The Reporter shall not share or disclose to any third parties any information related to a report submitted under this Policy including the vulnerabilities reported or the fact that a vulnerability has been reported to Woven by Toyota unless 

  • such permission is explicitly given by Woven by Toyota

  • such information has already been made public by Woven by Toyota or its affiliates.

  • The Reporter shall not contemplate or engage in any act that may cause any damage of any nature to Woven by Toyota, its customers, employees, or third parties.

It's essential for the Reporter to understand and abide by these terms and conditions to ensure a cooperative and productive relationship with Woven by Toyota in addressing security concerns of our products, systems, or service.

Scope of Vulnerability Disclosure

Woven by Toyota welcomes vulnerability reports that demonstrate a genuine security issue in our products, systems or service. This includes, but is not limited to, vulnerabilities related to authentication, authorization, data exposure, injection attacks, cross-site scripting (“XSS”), cross-site request forgery (“CSRF”), and server-side request forgery (“SSRF”).  If there is a vulnerability that you would like to report to us about which is not in scope of this Policy, please contact us to discuss it first.

Exclusions from the Scope

The following types of reports are not within the scope of this Policy and are not eligible for submission: social engineering attacks, physical attacks, attacks requiring physical access to devices, attacks requiring privileged access to systems, attacks on outdated or unsupported software versions, and reports that are considered spam or automated scans. Throttling availability to our services with DoS is also not in scope. The following are out of scope:

  • Clickjacking on pages with no sensitive actions;

  • CSRF without a demonstrated vulnerability impact;

  • Password and account recovery policies, such as reset link expiration or password complexity;

  • Presence of autocomplete attribute on web forms;

  • Software version disclosure;

  • Vulnerabilities in web browsers;

  • SSL/TLS configurations without a demonstrated vulnerability impact;

  • Text injection that cannot be leveraged for XSS or sensitive data disclosure;

  • Missing http-only or secure cookie flags unrelated to a vulnerability;

  • Missing security headers unrelated to a vulnerability;

  • Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC).


Woven by Toyota respects the confidentiality and privacy of the Reporter. Woven by Toyota will not share with third parties any personal information of and provided by the Reporter without the explicit consent of the Reporter unless required by law. The Reporter  will handle any non-public information they obtain during the disclosure process responsibly by maintaining the confidentiality of such information and not sharing it with third parties.  If you believe that sharing about the vulnerability is needed with third parties, you will coordinate with us and secure our approval prior to such sharing.

No Bug Bounty Program

Woven by Toyota does not conduct any bug bounty program. Accordingly, by submitting information to Woven by Toyota, the Reporter  acknowledges that there is no expectation of payment or compensation, and that it waives all claims for compensation for the submitted report.

License to Vulnerability Disclosure

Woven by Toyota does not claim any ownership rights to the information included in the reported Vulnerability Disclosure under this Policy, including any data, text, material, program code and suggestions received from the Reporter (Information). By providing any Vulnerability Disclosure information to Woven by Toyota, the Reporter :

  • grants Woven by Toyota a non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in the Information to use, review, assess, test, and otherwise analyze the Information; and to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of the Information and all its content, in whole or in part, for the purpose of fixing the reported vulnerabilities, improving products, systems or services, and marketing, sale and promotion of such improved products, systems or services;

  • acknowledges that it is not guaranteed any compensation or credit for the Information; and

  • represents and warrants that it hasn't knowingly used any information or intellectual property owned by a third party in violation of legal or contractual requirements, and that the Reporter has the legal right to provide such Information subject to this Policy.